IBM LinuxONE For Dummies®, 2nd Limited Edition

These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

IBM LinuxONE

2nd Limited Edition

by Judith Hurwitz and Daniel Kirsch


IBM LinuxONE For Dummies®, 2nd Limited Edition

Published by

John Wiley & Sons, Inc.

111 River St.

Hoboken, NJ 07030-5774

www.wiley.com

Copyright © 2021 by John Wiley & Sons, Inc.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. IBM and the IBM logo are registered trademarks of International Business Machines Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN: 978-1-119-73650-9 (pbk); ISBN: 978-1-119-73652-3 (ebk). Some blank pages in the print version may not be included in the ePDF version.

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:

Project Manager: Carrie Burchfield-Leighton

Sr. Managing Editor: Rev Mengle

Acquisitions Editor: Ashley Coffey

Business Development Representative: Molly Daugherty

IBM Contributors: Susan Proietti Conti, Robert Enochs, Rebecca Gott, Teressa Jimenez, Adam Jollans, Michael Jordan, Brian Lang, Christina Malack, Alex McMullen, Ismath Mohideen, Sowmya Nataraji, Rohit Panjala, Traci Parker, Rushir Patel, Nada Santiago, Mark Shultz, Chad Smith, Enyu Wang

http://www.wiley.com

http://www.wiley.com/go/permissions

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]

Table of Contents iii


Table of ContentsINTRODUCTION ............................................................................................... 1

About This Book ................................................................................... 1Foolish Assumptions ............................................................................ 2Icons Used in This Book ....................................................................... 2

CHAPTER 1: Explaining IBM LinuxONE ..................................................... 3The Evolution of LinuxONE ................................................................. 4Looking at the LinuxONE Hardware .................................................. 5Architecting Security into LinuxONE .................................................. 5Protecting Data ..................................................................................... 6

Secure Execution ............................................................................. 7Data Privacy Passports ................................................................... 7

Scalability and Performance ............................................................... 7Reliability ............................................................................................... 8The LinuxONE Ecosystem .................................................................... 8Workload Performance of LinuxONE ................................................. 9

Support for large high-performance databases ......................... 9Support for large number of containers ...................................... 9Support for blockchain ................................................................... 9Support for DevOps ...................................................................... 10

The Customer Benefit of LinuxONE ................................................. 10

CHAPTER 2: IBM LinuxONE as a Secure Platform .......................... 11Why You Need a Secure Platform .................................................... 12IBM’s Approach to Security with LinuxONE .................................... 13

Pervasive encryption .................................................................... 13Hardware Security Module (HSM) ............................................... 14

Explaining Data Privacy Passports ................................................... 14Seeing the Value of Secure Execution for Linux ............................. 15

CHAPTER 3: ScalableDatabasesfor IBMLinuxONE ..................... 17Scaling LinuxONE and Databases..................................................... 18

Scale up, not out ........................................................................... 18Database scalability ...................................................................... 18Consolidating databases .............................................................. 19

LinuxONE as a Database Platform ................................................... 19IBM Cloud Hyper Protect DBaaS ...................................................... 20

iv IBM LinuxONE For Dummies, 2nd Limited Edition


CHAPTER 4: IBM LinuxONE as a Cloud Platform ............................ 21The Role of Red Hat OpenShift Container Platform....................... 21Understanding IBM Cloud Paks ........................................................ 22

Cloud-optimized software and services ..................................... 22Infrastructure flexibility ................................................................ 23

IBM Cloud Hyper Protect Services .................................................... 23

CHAPTER 5: IBM LinuxONE as the Digital Assets and Blockchain Platform ..................................................... 25Understanding Digital Assets and Blockchain ................................ 26Introduction to Digital Assets ........................................................... 27LinuxONE Security Enables Blockchain and Digital Assets ................................................................................................... 27

Built-in encryption ........................................................................ 28Key management .......................................................................... 28Workload isolation ........................................................................ 28IBM Secure Service Container technology ................................. 29Performance .................................................................................. 29

Blockchain and Digital Asset Deployment Patterns ....................... 29

CHAPTER 6: The Economics of IBM LinuxONE .................................. 31Consolidating Workloads .................................................................. 32Supporting Higher Utilization ........................................................... 32Using Open Source Software ............................................................ 34Looking at Additional Savings ........................................................... 35

CHAPTER 7: The IBM LinuxONE Open Ecosystem ......................... 37Open Source ....................................................................................... 37The Breadth and Depth of Linux ...................................................... 38LinuxONE as a Development and Deployment Platform .............. 39LinuxONE as a DevSecOps Platform ................................................ 40LinuxONE for Solution Providers and Cloud Service Providers ................................................................................ 41

CHAPTER 8: Ten Reasons to Consider IBM LinuxONE ................ 43

Introduction 1


Introduction

As more companies transform their IT infrastructures with hybrid cloud services, they require environments that pro-tect the safety of their intellectual property, such as data

and business rules. In addition, businesses need a set of hybrid cloud services that combines the security and integrity of their enterprise computing environment with the economic viability of the hybrid computing environment. Welcome to IBM LinuxONE.

LinuxONE is a hardware system designed to support and exploit the Linux operating system based on the value of its unique under-lying architecture. We are in an era where openness is paramount to support the needs of corporations. At the same time, in the era of cloud computing, businesses need scalability and security to support increasingly complex workloads. The business value of LinuxONE is that it can be used within a multicloud environment to support a range of workloads and a variety of customer scal-ability requirements.

LinuxONE supports open APIs and Red Hat OpenShift. The open-ness of the platform means your business can create a hybrid environment that can include both on-premises environments and public cloud services.

About This BookIBM LinuxONE For Dummies, 2nd Limited Edition, is designed to help you understand LinuxONE as an integrated hardware and software environment that supports a hybrid cloud environment. This book provides you with an overview of the value of LinuxONE when compared to other platforms.

2 IBM LinuxONE For Dummies, 2nd Limited Edition


Foolish AssumptionsThe information in this book is useful to many people, but we have to admit that we did make a few assumptions about who we think you are:

» You’re already familiar with enterprise and cloud computing and need to understand how to enable your company to scale in the era of the hybrid cloud.

» You’re planning a long-term cloud strategy and want to understand the value of the private cloud and how it can be used to support your business goals.

» You need to ensure that data is managed in a secure manner.

» You’re a business leader who wants to ensure that you have a predictable, secure, and resilient computing infrastructure.

Icons Used in This BookThe following icons are used throughout the book.

This icon highlights important information that you should remember.

Tips help identify information that needs special attention. You may save money, time, or resources.

This icon points out content that you should pay attention to in order to avoid problems.

This icon is reserved for more technical information.

CHAPTER 1 Explaining IBM LinuxONE 3


Chapter 1

IN THIS CHAPTER

» Examining the history and evolution of LinuxONE

» Understanding the hardware of LinuxONE

» Making sure to protect data

» Looking at scalability, performance, and reliability

» Grasping the LinuxONE ecosystem

» Seeing LinuxONE in action: Workload performance

» Cashing in on the business benefits of LinuxONE

Explaining IBM LinuxONE

Linux adoption has grown dramatically over recent years, expanding from initial use by startups for web servers, into its use today for a vast range of enterprise computing work-

loads. These mission-critical applications have in turn placed greater requirements on the underlying server hardware for secu-rity, scalability, and resilience. As more enterprises move to a cloud-native architecture, Linux combined with containers and Kubernetes has become an invaluable platform to support cloud-native development and deployment. IBM LinuxONE is an impor-tant platform to support this DevOps and continuous delivery process. Because LinuxONE is based on open source Linux, devel-opers can use the same tools they’re familiar with in any on-premises or cloud environment; because of LinuxONE’s capabilities, it can safely run development alongside production workloads.



LinuxONE is an enterprise-grade Linux server with a unique architecture designed to meet the needs of mission-critical work-loads. It brings together IBM’s experience in building secure, resilient, and scalable systems with the openness of the Linux operating system. LinuxONE is a Linux-only platform intended to support customers interested in leveraging the open source eco-system combined with highly secure and highly scalable servers.

Linux has been available on supercomputers for more than a decade, so it’s no novice at being the operating system for pow-erful machines. However, LinuxONE is focused squarely at enter-prise computing in the era of the cloud. After you understand the hardware and software platform of LinuxONE, you can under-stand the business opportunities and benefits of LinuxONE.

In this chapter, we provide an overview of what LinuxONE is and how it can be used to support growing requirements in the enterprise.

The Evolution of LinuxONEOver the years, centralized enterprise computers and their work-loads have taken on many new roles, such as hosting servers in client-server applications or hosting the Internet. In the late 1990s, IBM made the strategic decision to support the Linux operating system on its enterprise server architecture.

In 2014, IBM saw a shift in how clients were deploying Linux and open source. This was driven by the use and maturity of open source software for enterprise application deployments. Clients were increasingly looking for scale, performance, availability, and security in their Linux servers. Observing this shift, IBM decided to build a system to address these requirements.

IBM decided to take existing components from across its Systems portfolio and fashion a platform that’s designed to deliver on these new expectations for enterprise Linux servers. The Linux-ONE system was launched in August 2015. With IBM’s acquisition of Red Hat in 2019, the LinuxONE platform gained support for additional foundational components such as Red Hat OpenShift. In parallel, LinuxONE continues to work closely with its other Linux Distribution Partners, SUSE and Canonical (Ubuntu).



The result is a platform that can run cloud-native applications, provide enterprise class-leading security, has high enterprise server reliability, and can consolidate workloads from many smaller servers onto a single integrated LinuxONE machine.

Looking at the LinuxONE HardwareLinuxONE is currently in its third generation. Named IBM Linux-ONE III, the platform can be delivered in two models: Model LT1 and LT2. Both models are designed to support cloud-native devel-opment and deployment. They support pervasive encryption and IBM Data Privacy Passports to protect data at rest and in transit:

» LT1 can be configured in one to four frames. It supports up to 190 processor cores, running at 5.2 gigahertz (GHz), up to 32 terabytes (TB) of RAM, and 640 dedicated Input/Output (I/O) processors. It supports tens of thousands of sessions and millions of containers.

» LT2 is designed for midsized businesses and is therefore an entry point into the LinuxONE III family. This model is delivered as a single 19-inch frame so that it can easily fit into existing data centers. It is based on the same technology foundation as Model LT1 and is available with up to 16TB of memory and up to 64 processor cores, running at 4.5 GHz, instead of 5.2 GHz, to support hundreds of production and development virtual machines (VMs) in a single frame footprint.

LinuxONE processor cores are designed to be more powerful than x86 processor cores, through a combination of processor archi-tecture, clock speed, cache, optimization, and I/O offloading. While security and scalability are the key differentiators of these platforms, the hardware also provides reliability and performance benefits for many important cloud workloads.

Architecting Security into LinuxONESecurity is architected into LinuxONE for both the hardware and software. For example, pervasive encryption is designed to encrypt all data associated with an application, database, or cloud



service — whether at rest or in transit. This level of protection is achieved through hardware-accelerated encryption of data, delivered with little overhead by the on-chip Central Proces-sor Assist for Cryptographic Function (CPACF) and the dedicated Crypto Express adapter. The availability of this level of encryption at scale can make it easier for organizations to meet compliance mandates for regulations such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).

Security is further promoted by protecting cryptographic keys by using a Hardware Security Module (HSM). Protected key encryp-tion is processed in the CPACF for high speed and stored in an HSM. This key encryption enables fast encrypting and decrypt-ing of complete disks (volumes) or selected partitions. Logical partition (LPAR) isolation, standard on all LinuxONE processors for generations, isolates workloads running in partitions to help ensure the integrity of applications and data and minimize secu-rity breaches and their damaging impact both financially and to an organization’s credibility.

IBM Hyper Protect Virtual Servers, formerly known as IBM Secure Service Containers, adds further security capabilities at a logical partition level. Hyper Protect Virtual Servers provides workload isolation, restricted administrator access, and tamper protection against internal threats, including from systems administrators.

Linux itself provides a comprehensive set of security technolo-gies, including firewalls, VPNs, auditing tools to support regula-tory compliance, and SELinux, a kernel-based security subsystem. For more details on security of LinuxONE, check out Chapter 2.

Protecting DataIn order to maximize data protection, LinuxONE offers two ser-vices: IBM Secure Execution and IBM Data Privacy Passports. Both these offerings help provide a comprehensive way to protect data in a distributed environment that spans from LinuxONE to a mul-ticloud environment.



Secure ExecutionSecure Execution for LinuxONE III is a hardware-based approach to security that’s intended to protect sensitive data in use. To achieve this objective, it isolates individual on-premises and cloud workloads from both internal and external attacks. To accom-plish data protection, Secure Execution uses a hardware-based Trusted Execution Environment that isolates workloads in order to restrict access to data. It can process unencrypted memory securely without exposing the data to the hosted or other external environments. Secure Execution also provides isolation between KVM hypervisor hosts and guests in the VMs.

Chapter 2 provides more detail on Secure Execution.

Data Privacy PassportsData Privacy Passports is designed to support encryption every-where through a secure service container appliance. To achieve this objective, an organization’s security policy can remain active and operate on eligible data regardless of where the data resides in the enterprise. Check out Chapter 2 for more information.

Scalability and PerformanceLinuxONE is designed to be a high-performance machine. With its processors, clock speed, I/O bandwidth, and more, LinuxONE is designed to operate at near 100 percent utilization. In contrast, x86 machines often operate at relatively low utilization levels (typically near 50 percent, although case studies show that num-ber is often lower in practice). In addition, because encryption is built into the processor cores in hardware, encryption processing doesn’t add high overhead and can also reduce the need for the customer to add third-party encryption tools.

LinuxONE systems can scale vertically or horizontally without disruptions to running applications. The scalability of LinuxONE is efficient because you can scale up within the same machine. This scalability is ideal for “systems of record” workloads, such as databases and transaction processing, and reduces the costs of scaling workloads. In comparison, to scale out with an x86 sys-tem, you’re required to add more servers and dedicate more floor space, management tools, and networking — anything associated with adding new systems to your environment.



ReliabilityReliability is a well-known capability of IBM’s unique enterprise server architecture — for example, the fact that its design has no single points of failure. LinuxONE inherits these capabilities, including component redundancy to allow the machine to con-tinue when a single component fails. This feat is possible because maintenance and repairs can be performed concurrently while the machine is still running workloads.

The LinuxONE EcosystemThe LinuxONE environment is designed as a unified system based on the Linux operating system combined with the most impor-tant open source services, ranging from databases to manage-ment tools. Therefore, IBM has marshaled key open source and industry software for LinuxONE systems, including Python, Go, Swift, Java, and other languages; MongoDB, PostgreSQL, Apache Spark, Node.js, Hadoop, and other tools, including Linux contain-ers, Chef, and Puppet. A critical part of the LinuxONE ecosystem is support for Red Hat’s Kubernetes platform, OpenShift. Red Hat OpenShift helps to accelerate DevOps and transformation efforts across Linux-based on-premises and cloud environments. This support for Red Hat OpenShift means that workloads can be man-aged and moved across LinuxONE III and cloud environments — connecting on-premises and cloud ecosystems.

These technologies work seamlessly on LinuxONE, just as they do on other hardware platforms, requiring no special skills. Because of its open source heritage, LinuxONE can operate both in the traditional data center or as a private cloud platform. Linux-ONE runs the enterprise Linux distributions — Red Hat, SUSE, and Ubuntu — as well as community editions, including CentOS, Debian, Fedora, and OpenSUSE.

For more information on the LinuxONE ecosystem, flip to Chapter 7.



Workload Performance of LinuxONEThe unified platform of LinuxONE is designed to support demand-ing performance requirements in the enterprise. While we could give you countless examples of the benefits of this level of perfor-mance, in this section, we describe four use cases where custom-ers benefit from the workload performance.

Support for large high-performance databasesMany databases use sharding or other scale-out mechanisms because the data is too large to fit on a single machine. Because of the scalability and performance of LinuxONE, a massive database can often fit on a single LinuxONE machine. Performance is often improved because everything is in the same server — avoiding the overhead of additional communications and coordination, the latency from gathering results, and the application changes required with a scale-out approach.

Support for large number of containersLinuxONE systems have been enabled for Linux containers, Kubernetes, and Red Hat OpenShift with integrated management. Supporting high numbers of containers is key for businesses that service a large number of enterprise customers in areas such as telecommunications, cloud service providers (CSPs), and financial institutions.

Support for blockchainBlockchain is a technology for creating distributed, secure led-gers that represent the history of transactions and life cycle of things (Bitcoin is the best-known application of blockchain). Blockchain is an ideal technology to run on LinuxONE. It relies on data encryption and decryption, and LinuxONE’s hardware cryp-tography is designed for superior performance at scale. When the size of a blockchain network or the size of the ledger gets huge, LinuxONE’s massive available RAM still allows verification of the ledger to occur in memory for optimal performance. Check out Chapter 5 for more information on blockchain.



Support for DevOpsLinuxONE is an important platform to support the DevOps pro-cess. Because LinuxONE is based on open source Linux, developers can use the same tools they’re familiar with in any on-premises or cloud environment and can safely run development alongside production workloads.

The Customer Benefit of LinuxONEOne of the consequences of the movement to hybrid cloud is the need to have performance, resilience, scalability, security, and manageability as the foundation. The cloud has brought the imperative of elasticity and security to the forefront of how busi-nesses are supporting their customers, suppliers, and partners. You can no longer assume that you can estimate the capac-ity you’ll need a year in the future. While you can continue to add individual servers, management and security concerns are holding back businesses from achieving their goals. Ironically, LinuxONE — based on one of the longest lasting architectures in the industry — has emerged as one of the most forward-focused platforms to support change.

CHAPTER 2 IBM LinuxONE as a Secure Platform 11


Chapter 2

IN THIS CHAPTER

» Knowing why you need a secure platform to protect your data

» Seeing the LinuxONE approach to security

» Understanding the ability to encrypt all your data

» Using Secure Execution for Linux

IBM LinuxONE as a Secure Platform

Security must be at the center of any IT platform. If critical business data is compromised or customer data is leaked, your business’s reputation may be damaged, and you may

face regulatory and legal consequences. Likewise, if corporate data is exposed, you risk the chance of losing significant intel-lectual property.

When you’re considering an infrastructure platform, you need to understand the security features inherent to the platform, both in the cloud and on premises. In this chapter, we discuss how the IBM LinuxONE system incorporates many security capabilities.



Why You Need a Secure PlatformInitially, corporate management assumed that regulatory com-pliance and audits would be enough to protect your company’s data. However, many security risks come from third-party mali-cious attacks. Management now understands that with the advent of cloud computing many of the risks may be out of their direct control.

Businesses are concerned about cybersecurity threats to the information that is the lifeblood of their relationships with their customers and partners. More and more data resides in a hybrid cloud environment, and applications are designed to manage data and provide collaboration between customers and partners.

We are not just talking about data stores here. Instead, data is embedded in spreadsheets, documents, applications, and data-bases on premises and in the cloud. At one point, the Chief Secu-rity Officer (CSO) may have had direct control over how security was handled. However, increasingly, distributed data and appli-cations make it difficult for the CSO to control this complex set of services. At the same time, security is now a major concern of business management. Management needs to report to share-holders that security is being managed at the highest level.

UNDERSTANDING CONFIDENTIAL COMPUTINGA new movement in the industry has introduced the concept of confi-dential computing. The term confidential computing refers to protection of data in use and is a key pillar of data protection. It uses hardware-based techniques to isolate data, specific functions, or an entire appli-cation from the operating system, hypervisor, or virtual machine (VM) manager, and other privileged processes. The Linux Foundation hosts the Confidential Computing Consortium, of which IBM is a member, to define industry-wide standards for confidential computing and to pro-mote the development of open-source confidential computing tools. The focus of confidential computing is to store data in a trusted envi-ronment. LinuxONE supports protection of data in use, as well as data at rest and data in motion within the system.



A common misconception exists that when a business entrusts its data and applications to a cloud provider it is no longer respon-sible for security. But in fact, the business remains responsible for keeping track of this highly distributed data, including who’s allowed to access the data and whether regulations are adhered to. To be successful at protecting your assets, there needs to be a partnership between the cloud vendor and the security manage-ment team.

IBM’s Approach to Security with LinuxONE

In Chapter 1, we discuss how LinuxONE is designed to support industry-standard Linux. LinuxONE provides customers with a combination of a highly scalable standards-based platform designed with security at the core. Security is built in at the low-est levels of the platform for LinuxONE. Security is at the heart of helping businesses to protect their assets at the most sophisti-cated level possible. This approach requires a sophisticated tech-nique of protecting the integrity of data at rest, in motion, or in use called Cloud Hyper Protect Services. This service can be deployed either on LinuxONE or in the cloud as a service (see Chapter 4 for more details about IBM Cloud Hyper Protect Services). Important technologies for ensuring this level of protection are delivered through IBM Hyper Protect Services, which employs pervasive encryption, Hardware Security Module (HSM), and IBM Secure Service Container as underlying technologies for data protection.

Pervasive encryptionPervasive encryption can automatically encrypt data both at rest and in flight and doesn’t require application changes. This approach enables companies to encrypt all their data by default with little compute overhead.

One of the benefits of the LinuxONE system is the extent of the security services. Because of the architecture of LinuxONE, secu-rity is pre-integrated at every level of the hardware and software stack. LinuxONE-based security is designed to encrypt data in bulk. Therefore, it is possible to encrypt all the data associated with an application or a database at one time.



Providing encryption of everything and at every level is in stark contrast to the way encryption is typically approached. Most companies only encrypt a small amount of data, leaving the vast majority of data completely unencrypted. All the unencrypted data is at risk of being leaked by mistake or stolen by a criminal. On the other hand, when all the data is encrypted, even if it’s exposed to people outside of your organization, it will be mean-ingless without the encryption key.

Traditionally, encrypting all your data required a large amount of compute and time overhead; however, the LinuxONE platform has dedicated hardware specifically tuned for encryption. The on-chip encryption co-processor is on every compute chip next to the main processor.

Hardware Security Module (HSM)LinuxONE can also include CryptoExpress adapters, which sup-port high-speed encryption as well as provide an HSM for securely storing and protecting encryption keys. These CryptoExpress adapters are protected using a tamper-responsive hardware envi-ronment that self-destructs encryption keys if it senses an attack.

Explaining Data Privacy PassportsIBM Data Privacy Passports is a capability available on LinuxONE III service that’s deployed on IBM Hyper Protect Virtual Servers. It’s designed to protect eligible data after it leaves its source and travels throughout the enterprise and into distributed and hybrid cloud environments. This solution focuses on the security of data itself rather than the security of networks, hardware, or software, in order to reduce vulnerabilities that exist with point-to-point data protection.

Before data leaves the system of record, the Data Privacy Pass-ports component known as the Passport Controller provides pro-tection, enforcement, policy, and key management. The goal of Data Privacy Passports is to ensure that privacy is maintained and managed based on policy as eligible data is moved from its source such as a system of record to other systems, including a variety of clouds. The objective is to provide transparent end-to-end data level protection and privacy. It achieves this goal by encrypting



eligible data based on corporate rules and compliance require-ments. Data Privacy Passports is designed so data access can be either granted or revoked in order to maintain control, and you can do so even after the data has left its source. This is especially important when data moves from the system of origin in order to conduct sophisticated analysis of data.

To execute on this process, Data Privacy Passports secures SQL-based structured data sources that are accessed via Java Database Connectivity (JDBC) APIs. The policy governed by the Passport Controller allows each persona to have a different view of the same table, based on its need to know. And policies can be set accordingly. Data owners may see all data in the clear, whereas others will see it either enforced, like masked value or encrypted as a Trusted Data Object.

Setting up Data Privacy Passports has two critical stages:

1. The system administrator installs and configures the Hyper Protect Virtual Server hardware and software.

At this stage, the data owners identify which data needs to be protected.

2. Once identified, the security administrator sets up the policy for Data Privacy Passports based on which users have authorization to access the data under what conditions.

At this stage, the system administrator activates the approval policy and connects the policy to the source and target databases.

Seeing the Value of Secure Execution for Linux

While existing techniques can provide extensive protection of data in flight and data at rest, protecting the third state — data in use — is the new frontier. Protecting data while in use has been a challenge so far because applications need to have data that’s unencrypted, or not protected, in order to run computations. This poses a significant security issue because this type of data remains exposed in memory and can be exploited by malware or



other threat vectors to steal information. The Confidential Com-puting Consortium is an industry-wide movement to help protect data while it is in use through the implementation of hardware-based techniques such as Trusted Execution Environments (TEE).

IBM Secure Execution for Linux is a LinuxONE exclusive TEE tech-nology that’s built into the hardware and firmware of the system. It is designed to protect the confidentiality and integrity of data and code in use (during runtime). Unencrypted data and memory while in use can now be securely processed in a protected exe-cution environment, often termed an enclave. Secure Execution offers workload isolation and access restrictions to help ensure that other compromised guests or malicious administrators don’t have access to your sensitive workloads. Secure Execution can help provide a highly secure and trustworthy hosting solution for enterprise ready multi-tenant workloads on premises or in the cloud and hybrid environments.

The value of Secure Execution is that it can help mitigate some of the data exposure concerns that many organizations have expressed when approached with the idea of moving their most sensitive workloads to the cloud. Secure Execution can maintain confidentiality and integrity for data in use, regardless of who may own or have access to the machine on which the software is running. By protecting data in use, the last pillar of data secu-rity, Secure Execution makes it possible to run sensitive work-loads more securely even on untrusted or malicious infrastructure and help you move one step closer to realizing a Zero-Trust environment.

CHAPTER 3 Scalable Databases for IBM LinuxONE 17


Chapter 3

IN THIS CHAPTER

» Scaling approaches for LinuxONE and databases

» Choosing LinuxONE for running databases

» Looking at IBM Cloud Hyper Protect DBaaS

Scalable Databases for IBM LinuxONE

The key difference between IBM LinuxONE and other Linux systems is that LinuxONE’s hardware is engineered to offer dramatic improvements in performance, security, and reli-

ability. In particular, LinuxONE can scale up to handle large data-bases when compared to other approaches. The platform also enables the consolidation of multiple database servers onto a sin-gle system. These hardware advantages create the opportunity to run databases on a single scale-up LinuxONE machine rather than multiple scale-out servers. Transitioning from a scale-out to a scale-up strategy helps organizations increase performance, achieve higher utilization, and reduce costs.

In this chapter, we provide an overview of LinuxONE and why it’s well suited to running large databases. We also discuss an IBM product designed to deploy and monitor secure databases in the cloud.



Scaling LinuxONE and DatabasesOrganizations have coped with large volumes of data for decades, but the challenge is exacerbated by the ever-increasing volume of big data that’s applied to advanced analytics problems at a mas-sive scale. This rapid data increase requires significant process-ing power and computing resources that can scale performance quickly as demands change.

Scalable processing power can be achieved in various ways. The cloud has demonstrated the ability to scale massively by scaling out — using many independent, cooperating virtual machines (VMs), running on commodity servers. While this scale-out approach can work for systems of insight and systems of collaboration, there are challenges for systems of record because of the need to achieve immediate consistency in data across mul-tiple VMs — and managing a sprawling network of distributed servers can quickly become difficult. In addition, as you continue to scale out, you’ll likely introduce latency and increase costs.

Scale up, not outInstead of scaling out, you can scale up. Scaling up allows you to get more compute and storage resources from a single machine. With the scale-up model, you begin with a small VM and add pro-cessors and memory as your workloads expand.

LinuxONE uses a fast commercially available processor running at 4.5 or 5.2 gigahertz (GHz). Input/Output (I/O) is offloaded up to 640 dedicated co-processors, speeding access to data. And Linux-ONE can run many workloads that otherwise require multiple x86 machines. For example, a single IBM LinuxONE III system is designed to scale up to billions of transactions per day, support up to 8 terabytes (TB) of main memory, contain 30 CPUs, and provide extreme I/O bandwidth with a 16 gigabit (Gb) channel — all while designed for 99.999 percent availability. However, you can start by provisioning and paying for a much smaller workload and scale up as your requirements expand.

Database scalabilityThere’s no shortage of databases in the world. Each platform has its strengths and weaknesses depending on its use and con-straints. For example, some databases are designed to run as

CHAPTER 3 Scalable Databases for IBM LinuxONE 19


clusters of cooperating servers in the cloud. This scaled-out con-figuration can manage larger quantities of data than a single machine and can continue to scale out with even more servers to meet additional demands.

Other on-premises databases are designed to operate on a single machine. If a business needs to deploy a workload larger than the machine’s capacity, it may need to use a strategy like sharding — another form of scaling out.

When the data is complex or has many interconnections, shard-ing (partitioning a large database into smaller units) will also introduce latency to data access when it is retrieved and reassem-bled from multiple partitions. Add in the extra communication required between the scaled-out servers as well as the manage-ment overhead of a cluster of servers, and the performance cost of the scaled-out solution can become significant. Therefore, as a general solution, sharding can cause as many (or more) problems as it solves. In contrast, a single LinuxONE machine, with its high capacity and performance, can handle large databases in a single system without requiring sharding.

Consolidating databasesOne common use case for LinuxONE is to host the consolidation of commercial databases onto a single system. The benefits include increased performance, better throughput of data, and more effi-cient sharing of resources. Customers have reported consolidation ratios of 10:1 cores or more, which can lead to the opportunity for significant savings in software license fees where these are calculated on a per-core basis. See Chapter 6 for a more detailed discussion of LinuxONE and total cost of ownership (TCO).

LinuxONE as a Database PlatformThe Linux operating system has enjoyed success in the enterprise and has a broad and deep ecosystem for databases and applica-tions. One of the benefits of LinuxONE is that it supports many of the popular SQL and NoSQL databases. Many databases are avail-able on LinuxONE. Two of the commercial databases, Oracle and IBM Db2, are among the most popular. Two others, PostgreSQL and MongoDB, are prominent open source databases that can also benefit from LinuxONE’s scalability.



The Linux operating system can be tuned to optimize perfor-mance of applications and databases. For example, administra-tors can configure swapping conditions, RAM page size, choice of filesystem to use (ext4, XFS, ZFS), filesystem parameters, as well as many other system features. The scale-up capacity and perfor-mance allow many large database workloads to be handled by a single LinuxONE server. Also, multiple databases and applications can be consolidated on a single LinuxONE server for cost savings without a performance penalty. In addition, a database running on LinuxONE can exploit the large memory to hold data.

IBM Cloud Hyper Protect DBaaSOne of the issues keeping many highly regulated businesses from moving to the cloud is the fear of putting sensitive customer data at risk. To address this issue, IBM created the service IBM Cloud Hyper Protect Database as a Service (DBaaS) to provide high lev-els of data confidentiality. This cloud-based platform provisions and manages cloud databases with strong security features and is built on IBM LinuxONE and delivered through IBM Cloud. The data owner maintains complete control over the data. IBM Cloud Hyper Protect DBaaS includes built-in workload isolation that restricts administrative access so it incorporates tamper protection. In fact, IBM can’t access the data within your database service.

Where databases used to be installed and configured by hand, IBM Cloud Hyper Protect DBaaS presents a visual, graphical user interface where you can select a database type (currently, Mon-goDB or PostgreSQL), a processor class, and security features to apply. One click then creates a cluster of three databases for you, one primary and two secondary, in a controller/follower/follower configuration.

Databases are protected by security features like hardware pro-tected encryption keys (via a Hardware Security Module [HSM]), and IBM Secure Service Container technology. The cluster of three databases provides not only scale-out performance but also redundancy for extra protection of data. Users can monitor their running databases from the IBM Cloud Hyper Protect DBaaS Graphical User Interface (GUI) or use their favorite database-specific management tools. With IBM Cloud Hyper Protect DBaaS, you don’t have to be a database administrator (DBA) or database expert to provision highly secure databases quickly and easily.

CHAPTER 4 IBM LinuxONE as a Cloud Platform 21


Chapter 4

IN THIS CHAPTER

» Understanding the role of Red Hat OpenShift

» Explaining IBM Cloud Paks

» Introducing IBM Cloud Hyper Protect Services

IBM LinuxONE as a Cloud Platform

Businesses are turning to hybrid cloud as a way to manage their workloads to support customers and partners. One solution to support all workloads and business situations

doesn’t exist. Both corporations and cloud service providers (CSPs) are evaluating a new generation of cloud offerings as a solution. In this chapter, you explore IBM Cloud Pak Solutions and Red Hat OpenShift in combination with IBM LinuxONE in a hybrid cloud environment. LinuxONE can be deployed in a variety of cloud use cases, including in the IBM Cloud as the foundation for IBM Cloud Hyper Protect Services or IBM Blockchain Platform.

The Role of Red Hat OpenShift Container Platform

The foundational layer of the IBM hybrid cloud platform is pro-vided by Red Hat OpenShift. Red Hat OpenShift is platform agnos-tic, runs on multiple clouds and architectures, and has been available for IBM LinuxONE since early 2020. Red Hat Open-Shift Container Platform is built on Kubernetes and enables new



cloud-native applications to be developed and existing appli-cations to be modernized. These new and modernized applica-tions are designed for high performance and for the flexibility to respond to customer and market changes. Applications built on Red Hat OpenShift and deployed on LinuxONE inherit the enter-prise qualities of LinuxONE, with high levels of security and fast performance through co-location with core data.

Understanding IBM Cloud PaksIBM Cloud Pak Solutions are an integrated set of solutions infused with artificial intelligence (AI) designed for the hybrid cloud. Cloud Pak offerings are built on Red Hat OpenShift and can run on public clouds, private clouds, and on-premises infrastructure. Cloud Pak Solutions are designed so they can sit on top of any public or private cloud. The benefit of this software abstraction layer is that LinuxONE can become the high-end hybrid cloud platform. For LinuxONE, four Cloud Pak offerings are currently available:

» Cloud Pak for Applications: An enterprise-ready container-ized software solution that modernizes existing applications and develops new cloud-native applications

» Cloud Pak for Integration: A pre-integrated API-based platform to support data integration, messaging and events, high-speed transfer, and integration security

» Cloud Pak for Data: Designed to unify data services through an integrated data catalog, open source, and third-party microservices

» Cloud Pak for Multicloud Management: A solution that provides consistent visibility, automation, and governance across a range of hybrid multicloud management capabili-ties, such as infrastructure management and application management.

Additional Cloud Paks will be made available on LinuxONE, including Cloud Pak for Security and Cloud Pak for Automation.

Cloud-optimized software and servicesBecause Cloud Pak Solutions are based on Red Hat’s OpenShift container architecture, several optimized services are part of

CHAPTER 4 IBM LinuxONE as a Cloud Platform 23


the platform. Cloud Pak offerings give you a common catalog of services that increases developer productivity. The catalog helps manage microservices so they can scale both horizontally and vertically. The structure of the catalog makes it easier to gov-ern, deploy, and maintain software and services to support rapid development, test, and deployment. Services that are managed in the catalog include Helm charts, Terraform templates, and Cloud Foundry buildpacks.

Red Hat OpenShift serves as the foundation for Cloud Pak Solu-tions and incorporates a broad range of managed middleware, data, and analytics services, supporting both cloud-native and existing applications. New Kubernetes services included are Microservices Builder, IBM Watson Studio, security services, and IBM API Connect. Developers can leverage existing application development skills such as Java, Spring, and Open Liberty through the Red Hat Runtimes and IBM middleware. API connectivity and management services make it possible to integrate services across public, private, and existing enterprise environments.

Infrastructure flexibilityThe IBM Cloud Pak Solutions environment can operate on any existing hardware environment that supports Red Hat OpenShift, including IBM LinuxONE, IBM Z, IBM Power Systems, IBM Stor-age, IBM Hyperconverged Systems, and x86-based systems. It also supports a variety of clouds, including VMware, Amazon Web Services, Microsoft Azure, Google Cloud Platform, and IBM Cloud.

IBM Cloud Hyper Protect ServicesIBM Cloud Hyper Protect Services is a portfolio of IBM Cloud ser-vices deployed on LinuxONE. The portfolio provides advanced security, database, and virtual servers offerings that use the enterprise-grade capabilities of LinuxONE but are available to everyone through the IBM Cloud catalog. These include

» IBM Cloud Hyper Protect Crypto Services: This is a fully managed, dedicated key management and cloud Hardware Security Module (HSM) service. The HSM is the only one among several popular compared cloud providers based on FIPS 140-2 level 4-evaluated technology offered by a public



cloud provider. Through this, enterprises can fully manage their encryption keys in the cloud and have exclusive control of the HSMs that protect those keys, which enables a Keep Your Own Key (KYOK) functionality to help achieve more authority over your data.

Multiple IBM Cloud services integrate with Hyper Protect Crypto Services for key management. Additionally, the service can be used as a cloud HSM for application-driven data integrity and to protect data in transit (such as SSL offloading).

» IBM Cloud Hyper Protect Database as a Service (DBaaS): This is a cloud service designed to provide highly secure databases on demand, such as PostgreSQL and MongoDB Enterprise Edition. It’s designed to provide data confidential-ity, security, performance, and reliability for moving highly sensitive confidential data and workloads to the IBM Cloud. Clients can quickly provision, manage, and protect sensitive data workloads.

The service leverages LinuxONE encryption capabilities, allowing clients to retain their data in an encrypted client database without needing specialized skills. It uses IBM Secure Service Container to provide workload isolation, restricted administrator access, and tamper protection against internal threats. The Docker-based stack inherits security without any code changes. With IBM Cloud Hyper Protect DBaaS, clients can deploy integrated database clusters in the IBM Cloud, manage database instances using APIs, Command Line Interfaces (CLIs) or User Interfaces (UIs), administer database content, and monitor their database environments.

» IBM Cloud Hyper Protect Virtual Servers: IBM Cloud Hyper Protect Virtual Servers are the industry’s first customer- managed LinuxONE-based virtual servers offering in the public cloud. The offering gives customers complete authority over their workloads and confidentiality of code, data, and business Internet protocol (IP) within a secure environment. Workloads are protected from both internal and external threats, and not even privileged users, such as cloud administrators, can access client data. Finally, a client can easily provision, manage, maintain, and monitor instances in the IBM Cloud using a standard UI.

CHAPTER 5 IBM LinuxONE as the Digital Assets and Blockchain Platform 25


Chapter 5

IN THIS CHAPTER

» Understanding the fundamentals of digital assets and blockchain

» Introducing digital assets

» Enabling blockchain and digital assets with LinuxONE security

» Looking at the deployment patterns behind blockchain and digital assets

IBM LinuxONE as the Digital Assets and Blockchain Platform

Business leaders are beginning to understand that block-chain is much more than just the technology that underlies Bitcoin and other cryptocurrencies. The core architecture of

blockchain allows a means of conducting secure transactions among many participants. The blockchain architecture ensures that the transactions are secure, auditable, and transparent to all stakeholders. Digital assets are blockchain-native assets that are secured using cryptography.

The IBM LinuxONE platform is engineered to provide a broad array of security capabilities, ranging from pervasive encryp-tion to IBM Data Privacy Passports and IBM Hyper Protect Virtual Servers (for more details on LinuxONE security, check out Chapter 2).LinuxONE’sdepthofsecurityhelpsapplicationsthatare using blockchain perform faster andmore efficientlywhiledelivering the highly rated common criteria levels of security through logical partitions rated at EAL 5 level.



This chapter explains how digital assets housed in a private blockchain provide the required security to protect the privacy and security of corporate and customer information. The value of digital assets and blockchain are explained in the context of the hybrid cloud.

Understanding Digital Assets and Blockchain

A blockchain is a digital database containing information (such asrecordsoffinancial transactions)thatcanbesimultaneouslyused and shared within a large decentralized, publicly accessible network for public blockchains, or within a private network for enterprise blockchains. In public blockchains (for example, Bit-coinorEthereum)participationisunrestrictedandanonymous.Therefore,nodesdon’thavea legal identity,aregeographicallydispersed, and tend to be large networks with low throughput. These properties are in contrast to enterprise blockchains where onlyselectedparties(suchasaconsortiumofbanks)canpartici-pate. These enterprise nodes are legal entities and tend to be slim networks designed to drive much higher throughput compared to public blockchains.

Before blockchains were developed, a central clearinghouse was responsible for verifying the identity of participants, managing inventory of the product (for example, currency), conductingtransactions (purchases), and providing security and transpar-ency. Each party kept its own records of transactions, resulting in delays and expense to reconcile the discrepancies. A security breach of the central authority could be catastrophic, risking the financialunderpinningofthemarketplaceandpossiblydestroy-ing trust in the business.

The breakthrough for blockchain was to replace a central author-ity with a distributed consensus model that transformed the cen-tralized database into a “distributed, shared ledger” available to all members of the network.

To ensure the highest level of security, the system or platform must be separated from endpoint security for both users and devices.



Introduction to Digital AssetsAn asset is simply anything of value, meaning that somebody is willing to trade something else for the asset or wants to steal it. An asset can be physical, such as a box of chocolates. Most peo-plethinkofassetsasdurable,thattheydon’texpire,butassetsare often perishable at least to some degree. Because assets have value, their owners, custodians, and managers want to handle them with care and defend them against thieves. For example, they keep chocolates refrigerated, in locked warehouses, and sellthem(tradethemforSwissfrancs,forexample)tochocolatelovers before the chocolate starts growing mold.

Digital assets are non-physical assets ultimately represented as sequences of binary digits (1s and 0s). Because it’s technicallypossibletopreservebinarydataindefinitelywithextremefidel-ity, digital assets are nonperishable in a literal sense. However, digital assets can certainly depreciate in value even to zero. Binary dataisalsotechnicallyeasytocopy,whichresultsinasignificantprotection challenge when digital assets are private secrets. Some examples of digital assets include video game software code, dig-ital photographs of celebrities, missile launch codes, as well as codes captured in hotel room key cards that allow time-limited access to hotel rooms, and cryptocurrencies such as Bitcoin.

LinuxONE Security Enables Blockchain and Digital Assets

Both LinuxONE and blockchain emphasize the importance of security to ensure that the business solutions built or running on their platforms are robust and secure from security threats. The threats to digital assets are broad. Threats range from simple carelessness on the part of administrators or operators to sophis-ticated threats from external players. One of the biggest chal-lenges to protecting digital assets is securing the private key. Additionally, threats occur when code is compiled to build an imagethat’sstoredinmemory.Acommonerrorisforthiscodeto be left displayed, leaving this information open to intruders.



LinuxONE provides a solution to this common problem by provid-ing a secure memory enclave. Rather than leave code to be clear text, LinuxONE builds an image in a secure memory enclave. This secure container service creates a protected memory. Known as confidential computing, this approach to securing data stored in memory is critical for creating safe blockchain and digital assets.

WhileLinuxONE’shardwareandsoftwarehavesecuritybenefitsfor all applications, there are features that particularly benefitblockchain. In this section, we discuss the primary benefits ofLinuxONE security in protecting your digital assets.

Built-in encryptionEncryption and decryption have a performance cost, and Linux-ONE has dedicated on-chip co-processors for hardware encryp-tion and decryption of data without the typical processing overhead associated with software encryption. The low overhead of LinuxONE hardware encryption enables pervasive encryption to be practical, automatically protecting all data.

Key managementLinuxONE has a security hardware module (the Hardware Security Module,HSM)thatsupportsthestorageofprivatekeysrequiredfor cryptographic signing in a tamper-resistant module. This is another feature that improves performance and security. These HSMs hold the root wrapping key material that in turn encrypts theuser’sprivatekeys.Theprivatekeysareneverpresentedinclear text within the system, and the root wrapping key material never leaves the HSM.

Workload isolationWorkloadsarealsoisolatedonLinuxONE,usingthefirmwarevir-tualizationoflogicalpartitions(LPARs).Theseensurenearair-gap separation between workloads and have enabled LinuxONE tobecommoncriteriacertifiedatEAL5+, one of the highest com-merciallyavailablecertifications.



IBM Secure Service Container technologyBuilding on logical partitions is the IBM Secure Service Container technology, which takes workload isolation to the next level by providing a secure computing environment for Linux applica-tions.IBMHyperProtectVirtualServers(onpremises)andIBMCloudHyperProtectVirtualServers (in the IBMcloud)use thistechnology to protect data and applications from each other and from systems administrators. We discuss security in more detail inChapter 2andIBMCloudHyperProtectServicesinChapter 4.

PerformanceOne of the requirements for blockchain is a sophisticated level ofsecurity.Therefore,it’simperativethatthedeploymentplat-form has the best possible performance so the system performs at the speed demanded by complex blockchains and digital asset management environments. These deployment models require a significantamountofencryptionaswellassupportforhashingalgorithms.

Blockchain workloads use a lot of encryption and hashing in blockchain. LinuxONE handles this level of performance through a number of capabilities, including an on-chip cryptographic accelerator. LinuxONE also provides a high-capacity scale-up environment,withlargememory,adedicatedInput/Output(I/O)subsystem, and a large cache available.

Blockchain and Digital Asset Deployment Patterns

Clients are selecting the deployment pattern that best matches their business requirements for blockchain. Some customers are deploying their entire blockchain network on premises while other businesses are selecting a hybrid pattern. Still other com-panies are operating the blockchain in a public cloud.



Because of its distributed architecture, blockchain is well suited for the hybrid cloud model and can be deployed both in the public cloud and on premises. The decision on where to deploy block-chain could, for example, depend on if a managed service is preferred for ease of use, or whether government, industry, or corporate regulations mean that data needs to be held locally.

Forbothcases,blockchain,runningonLinuxONE,benefitsfromthe LinuxONE security capabilities, including pervasive encryp-tion, workload isolation, and the additional protection of IBM Secure Service Container technology.

LinuxONE is an open platform for blockchain technologies. There-fore, customers have a choice of deployment models. For exam-ple, popular deployments include hyperledger fabric (managed by the Linux Foundation) and the IBMBlockchain Platform.MorerecentlyLinuxONEnowsupportsR3,Ltd.’sdistributedpermis-sioned blockchain ledger protocol called Corda Enterprise.

There are a number of patterns available for customers protect-ing digital assets in a blockchain. Digital assets can be managed in a blockchain custody solution. Independent software vendors offeravarietyofsolutionsthatleverageLinuxONEandIBMHyperProtectVirtualServers.Forexample,afintechstartupcreatedasmart contract anddigital assetoffering inorder tohelpbusi-nesses store and transfer assets securely. Fintechs may leverage the LinuxONE platform to build and host their digital asset cus-todysolutions,recognizingthesecurityvaluepropositionofferedthrough Hyper Protect Virtual Servers and the Crypto Express HSM.

CHAPTER 6 The Economics of IBM LinuxONE 31


Chapter 6

IN THIS CHAPTER

» Consolidating workloads onto LinuxONE

» Examining higher utilization

» Reducing cost with open source software

» Saving money in additional areas

The Economics of IBM LinuxONE

You may assume the total cost of ownership (TCO) of the enterprise-grade IBM LinuxONE platform is much higher than commodity servers. However, customers are surprised

at the economic advantage of the LinuxONE platform compared to a similarly complex set of applications running in an x86 envi-ronment. The economics of LinuxONE become clear when you begin to compare the TCO of a LinuxONE machine versus other servers. x86-based infrastructures tend to have workloads dis-tributed over many individual servers while LinuxONE-based infrastructures consolidate workloads onto fewer LinuxONE cores. The primary reason for software savings is due to per-core licens-ing. LinuxONE requires fewer cores to run an equivalent x86 workload; therefore, fewer licenses are required. Secondary and indirect costs also have a significant impact on TCO.

In this chapter, we explain how LinuxONE provides cost savings by consolidating workloads, supporting higher utilization, using open source software, and more. We also discuss two business cases where organizations replaced x86-based environments with LinuxONE servers.



Consolidating WorkloadsWorkload consolidation gathers workloads from multiple servers and runs them on a single, larger server. LinuxONE servers can run many workloads simultaneously and consolidate workloads from x86 servers. The result is fewer LinuxONE servers than the number of x86 servers they replace.

Consolidation has many advantages. Removing the servers whose workloads are consolidated onto a larger server can reduce hard-ware costs. Having fewer physical machines to run and maintain can reduce operations costs. Additional savings are gained by the reduction in data center infrastructure resources required, includ-ing less networking (because of fewer servers to connect), freed-up floor space, reduced power requirements, and redeployment of staff from administration to innovation. The largest savings typically comes from fewer software licenses due to dramatically fewer processor cores required to run the same work.

Supporting Higher UtilizationBecause LinuxONE servers have higher processing, storage, and Input/Output (I/O) capacities than x86 servers, a LinuxONE server will generally support many more active applications than an x86 server. However, that’s not the whole story. LinuxONE and x86 machines support fundamentally different levels of CPU utilization.

Understanding the utilization capacities of servers is critical when comparing hardware platforms. Utilization is the percentage of overall processor performance consumed by a computer when running workloads. After a processor reaches 100 percent of pro-cessor utilization, no additional processing power is available. Remember that you must plan for application spikes. For exam-ple, an application’s load might average just 20 percent of the server’s utilization, but during brief high-demand periods that 20 percent could spike to nearly 100 percent.

When workloads exceed 100 percent of processor capacity, even if from temporary spikes, overall performance decreases as the machine struggles to manage the workloads it can’t service. x86 servers rarely sustain high levels of utilization, further limiting available performance. Because exceeding the available processing



capacity is counterproductive, organizations usually over- provision compute resources and limit the number of workloads on machines to avoid bottlenecks.

LinuxONE cores run at high speed and high utilization and con-tain other performance features that support demanding work-loads. LinuxONE cores are also designed to provide sustained high utilization. Therefore, LinuxONE machines have the capac-ity to handle spikes that near 100 percent utilization without over-provisioning. Further, LinuxONE machines are designed to reach higher average utilization levels, while x86 machines often reserve a large portion of their capacity simply to handle spikes.

THE COST BENEFIT OF MIGRATING TO LinuxONEA mid-sized financial services organization stood at a crossroads. As it grew, it added more and more servers to its data center to support its database workload. The company had forty-two x86 servers with 1,512 cores. Expenses began to exponentially increase. For example, its software licensing costs increased because the licenses were based on the number of cores. Likewise, networking costs between all the machines ran high. The company knew it had to look at alternatives. It considered the cloud but determined the costs to be similar to, if not more than, the current environment.

The company learned more about the LinuxONE platform and discov-ered that it could begin consolidating database workloads. To run the database workload, the company needed two IBM LinuxONE Emperor II platforms with 135 cores — close to 1,400 fewer cores than was needed with their forty-two x86 servers. After implementing the LinuxONE the company realized the following savings:

• Migration: 50 percent savings

• Energy: 86 percent savings

• Networking: 98 percent savings

• Staffing: 28 percent savings

• Software: 89 percent savings

(continued)



Using Open Source SoftwareThe accelerating growth of data from mobile devices, social media, and big data activities is exerting pressure on data stor-age, communications bandwidth, and processor power resources. Using open source operating system and tools on LinuxONE can offer economic advantages over proprietary offerings and a more manageable path to handle the continuing rapid growth of data that organizations handle. There is also a large ecosystem of open source partners and tools. LinuxONE customers can take advan-tage of a wide variety of free open source tools or lower priced tools, many of which aren’t available on proprietary platforms.

LOOKING AT THE VALUE OF SUSTAINABILITYUnderstanding the value of a sustainability is tightly linked to the eco-nomics of the LinuxONE platform. The single- and multi-frame models are designed with TCO in mind. The design is intended to fit the sys-tems into the cloud data centers to coexist with other platforms in the hybrid cloud environment.

One of the most important characteristics of sustainability requires limiting the amount of greenhouse gas emissions in order to address the impact of human activity on the environment. Many nations have laws requiring compliance with environmental directives that can result in financial penalties. In addition, businesses view minimizing greenhouse gas emission as a way to satisfy expectations of custom-ers. The typical data center can consume as much as 50 times the energy per floor space of a commercial building. Therefore, reducing energy consumption can have a dramatic impact on costs and sustainability.

Although the company spent more on hardware and system soft-ware, switching to LinuxONE resulted in a TCO savings of 41 percent, or $12 million, over five years. The company realized savings within the first year, and the difference in annual run rate was approximately $2.5 million.

(continued)



Looking at Additional SavingsThe robustness, resiliency, and security of LinuxONE have poten-tial to save customers money in other ways by reducing costs associated with downtime, repairs, and security breaches. Linux-ONE customers can realize savings in these two areas as well:

» Achieving high availability (HA): Enterprise applications require high uptime and use HA to achieve it. HA is provided by maintaining redundant hardware and software environments, often with constant data mirroring. Providing HA can be a costly and difficult process. However, fault tolerance is built into the LinuxONE server, and redundant parts take over seamlessly without staff intervention. Mean time between failures (MTBF) of the underlying technology is measured in decades.

» Planning for disaster recovery: In a traditional scale-out environment with potentially hundreds of servers, each server must be replicated in another physical region with constant data mirroring from the active servers to achieve a reliable DR plan. DR is easier in a LinuxONE environment because of the greatly reduced number of servers and associated infrastruc-ture that must be replicated to handle failovers. In fact, with LinuxONE there may be only one or two physical servers that must be maintained along with accompanying failover systems.

For example, a global insurance company’s data center costs and database and application server workloads were increasing. The insurance company selected a LinuxONE system and decreased costs significantly. The company moved from fifty-five x86 servers to one LinuxONE system. This resulted in an 86 percent reduction in required floor space and a 62 percent reduction in energy consump-tion. Administration efforts were also dramatically reduced. Overall the company significantly reduced its carbon footprint.

How can your business achieve the objectives of reducing energy con-sumption? It can invest in an energy-efficient data center design that focuses on addressing the carbon footprint of the hardware, heating, ventilation, and air-conditioning systems in order to reduce electricity consumption. This may be accomplished through better sharing of resources, lowering overall power consumption, and reducing floor space requirements.



LinuxONE DEPLOYMENT AT A BANKA banking enterprise was experiencing 30 percent year-to-year growth in new accounts and also for transactions from different appli-cations, credit cards, core bank accounts, and peripheral accounts. The company faced frequent server upgrades and additions, which led to a sprawling infrastructure. The easiest approach was to keep doing what it had always been doing, but that created a complex envi-ronment that required more people and more processes. DR was another growing concern. If a move to DR was needed, could the busi-ness do it confidently? Would all data be accessible at the right speed and within the right amount of time?

After learning about the LinuxONE platform, the company contacted IBM for help. The Chief Information Officer (CIO) explained that the company needed a platform that could scale to avoid frequent upgrades. Key objectives and issues for the client were

• Achieving scalability: The company needed an environment that would scale up as demand increased.

• Increased security: Data protection was one of the key require-ments for everything the company did.

• Reducing database costs: With the company’s existing scale-out strategy, software licenses for the increasing numbers of cores were becoming expensive.

The client decided to use a phased LinuxONE approach. It started small, moving a few workloads at a time and increased capacity over time to minimize costs. Unlike other architectures, LinuxONE growth can hap-pen without disruption so moving the workloads was simple. The phase-one migration of 20 applications was complete in less than 90 days.

The business was convinced of the technical merits of the LinuxONE solution, but the financial benefits convinced its board. In phase one, the company saw reduced TCO of 40 percent, or $10 million over five years. The largest savings came from reduced application and data-base license pricing due to a core reduction of ten times for the work-loads. The business case also showed that fewer staff members were required, freeing up resources to work on new projects. In the data center, floor space, networking, and cabling were also areas for sav-ings, and those savings were realized in the first year.

CHAPTER 7 The IBM LinuxONE Open Ecosystem 37


Chapter 7

IN THIS CHAPTER

» Introducing LinuxONE’s open source background

» Delivering innovation and agility

» Recognizing the breadth of software available with LinuxONE

» Using LinuxONE for software development and DevOps

The IBM LinuxONE Open Ecosystem

Linux is a dominant operating system in the overall comput-ing landscape for both on premises and cloud environments. The IBM LinuxONE open ecosystem includes the broader set

of Linux software developed and used by the Linux community. Although many different Linux distributions exist, the vast majority of Linux software can run on any Linux distribution.

In this chapter, you focus on the LinuxONE ecosystem for part-ners and customers. You explore how open models foster inno-vative software and how software stability is maintained in the context of constant innovation. You also see how these traits have attracted innovative developers who are creating new offerings on top of the LinuxONE platform.

Open SourceLinux is an established platform for business. Many software developers build applications and tools on top of Linux because the operating system is open source and ubiquitous. By using the open source model, developers from many different companies



around the world have formed a community to continue the evo-lution and innovation of Linux. For example, Google’s Android operating system, used in many smartphones, is based on a mod-ified version of Linux.

Communities work at their own schedules to build open source code. These experts work in collaboration to innovate whenever they can to produce new features and capabilities. Keeping up with the rapid pace of open source software development needs to be balanced with the enterprise need for reliable and stable soft-ware that is fully tested and secured.

This need for production-ready, open source software is why many businesses choose open source software with enterprise support. For example, three enterprise Linux distributions that have been certified and tested to run on the LinuxONE platform are Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Canonical’s Ubuntu LTS. In addition, com-munity versions of Linux are available for LinuxONE, including CentOS, Debian, Fedora, and OpenSUSE. By supporting a variety of Linux distributions, the LinuxONE platform gives customers and developers choice.

The Breadth and Depth of LinuxLinux offers the same operating system features one would expect from other platforms, including everything from productivity tools to web and mail servers. Firewalls and other security fea-tures are all standard. Because so many organizations are running Linux, the vast majority of software vendors selling significant business applications release versions that run on Linux.

Further, many open source applications and tools are built on, and for, Linux. These tools include hypervisors, languages, run-times, management, and analytics platform. The Linux distribu-tions that are certified for LinuxONE include graphical tools that make it easy for administrators to add various development tools and software.



Open source software is free (although there may be a charge for support and service), so you can try a variety of tools to see which works best for your business. In addition, like Linux, many of the open source tools have enterprise versions. LinuxONE offers sup-port for a variety of the key Linux distributions, including Red Hat Linux, Open SUSE, and Ubuntu.

LinuxONE as a Development and Deployment Platform

LinuxONE supports a broad ecosystem of third-party tools and languages. Linux has always offered many tools for developers, and the quantity and quality of these tools have grown over the years.

Today, a developer can install Linux with its development options and have everything needed to code, test, and package soft-ware. Linux also includes other tools needed to design, develop, and deploy software. Organizations that are creating a develop-ment, security, and operations (DevSecOps) process will find a wide variety of tools designed to support their practice. LinuxONE also supports a broad set of enterprise programming languages such as Python, Ruby, C and C++, Go, Swift, Java, and Lisp. Script-ing and other interpreted languages are also available, including shells, PHP, perl, awk, and others.

Beyond programming languages and integrated development environments (IDEs), LinuxONE supports open-source relational databases (PostgreSQL, MySQL, and MariaDB) and NoSQL data-bases (MongoDB, Cassandra, Redis, Apache Hadoop). Databases such as these are able to take advantage of the scalability and per-formance of LinuxONE and avoid the need for sharding (we dis-cuss this in Chapter 3).

Because of LinuxONE’s enterprise architecture, some applications may need to be recompiled for LinuxONE. Other applications, such as those written using interpretive languages (for example, Java or Python), should be able to run on LinuxONE without need-ing to be ported. Most recently, Linux containers and Kubernetes have become popular with both developers and IT operators, and these are also supported on LinuxONE — including through Red Hat OpenShift.



Focusing on development processes, Linux also includes source control systems and bug tracking/issue management software. Finally, many commercial software products are also available for LinuxONE, including Oracle database, Temenos T24 core bank-ing, IBM Financial Transaction Manager, IBM middleware such as Db2 and WebSphere, and Jira, one of the top tools used for agile product management.

LinuxONE as a DevSecOps PlatformMany organizations are moving to using a development, secu-rity, and operations (DevSecOps) approach. Rather than keeping development, operations, and security separate, DevSecOps com-bines them into a single practice. Many companies have already developed DevOps practices, and DevSecOps is the next step. DevSecOps begins with a change in culture founded in ongoing learning (to raise security awareness with developers who may already be entrenched in DevOps processes) and the empower-ment of security experts to determine the best ways to embed security into applications.

The benefit of DevSecOps is that you have higher-quality, fully tested code that’s more secure and released more quickly than traditional development methods. LinuxONE is a good platform for DevSecOps because the platform is designed to be secure, and development and production systems can safely be run on the same server through workload isolation and container support.

Although DevSecOps is largely about changing your corporate culture and processes, a successful implementation does require technology and tools. Because many independent organizations are creating tools for Linux, you are able to take advantage of best-of-breed tools and software. DevSecOps depends on the ability to quickly and conveniently create new virtual servers for test and staging areas, deploy test instances with secure contain-ers, and scale up production instances to handle changing loads. These tasks are routine for LinuxONE, making it an ideal platform as part of a DevSecOps practice.



LinuxONE for Solution Providers and Cloud Service Providers

LinuxONE is gaining a growing foothold as a platform for solution providers (SPs) and cloud hosts who deliver cloud and application services and provide data center management for cli-ents. SPs can leverage this highly optimized open Linux platform to quickly build and deploy environments clients need to run their businesses. By using familiar applications, the IT specialists can design systems in secure containers assigned for one or mul-tiple individual clients, providing privacy and security that cli-ents demand, while simplifying life for developers and satisfying ongoing service level agreements (SLAs) from a single LinuxONE system. In turn, the system provides a platform that supports cloud-based usage reporting so SPs can leverage monthly pric-ing models and easily increase customers’ IT resources as needed through planned business growth or routine computing spikes.

SPs also look to LinuxONE as a preferred platform for consolidation — for Linux application environments, managed growth, and optimized utilization for x86 distributed server farms and to manage large open databases like Oracle with intelligence and improved total cost of ownership (TCO) in mind. The inher-ent benefits of the platform and built-in security allow the SPs to start their work on a proven, trusted cloud-ready infrastructure, which increases speed to market and quality of IT overall.

CHAPTER 8 Ten Reasons to Consider IBM LinuxONE 43


Chapter 8

IN THIS CHAPTER

» Meeting your organization’s computing requirements

» Securing all your data and applications

» Supporting the LinuxONE platform

Ten Reasons to Consider IBM LinuxONE

Selecting a platform that protects your business and cus-tomer data and supports innovation can be difficult. You need to consider many issues when making a decision. The

IBM LinuxONE platform may be a good choice for the following reasons:

» Hybrid cloud: The availability of Red Hat OpenShift and IBM Cloud Pak Solutions on IBM LinuxONE brings together the world of cloud-native applications and services with that of enterprise data center IT. Red Hat OpenShift applications can be developed once and deployed anywhere, including on LinuxONE where they inherit the system’s underlying security, scalability, and resilience.

» Security: Having security at the application layer or infra-structure level is no longer enough — you need protection at every level of your environment. Security needs to range from securing your cloud assets to data at rest and data in transit to your container platforms.



» Scalability: Meeting increasing customer demands and creating new services mean that the size and complexity of your workloads is likely expanding. LinuxONE’s scale-up approach allows you to meet expanding needs without adding additional hardware and complexity.

» Capacity: You can’t always anticipate how much computing power you need. Adopting a system that can support compute-heavy workloads is an important step in protecting your infrastructure investments.

» Manageability: The centralized approach of LinuxONE can be much easier to manage than complex distributed systems.

You can experience performance problems if you have too many systems trying to communicate across the network. Management can be impacted if critical operations aren’t effectively coordinated.

» Costs: Your existing IT infrastructure servers are likely underutilized, and your staff costs are high. If you can reduce costs, budget can be allocated toward innovation.

The LinuxONE platform dramatically supports sustainability and cost reduction by reducing power usage.

» Blockchain distributed ledger and digital asset applica-tions: In order to protect your intellectual property and customer data, you need a highly secure approach that supports a transparent, trusted chain of custody.

» Innovation: To compete in fast-moving markets, you need to innovate and leverage new technologies, including containers, analytics, and artificial intelligence (AI). Get a platform that combines the latest innovation in software with secure and scalable systems of record.

» Linux and open source: Open source and the Linux operating system drive innovation and efficiency for your organization. The LinuxONE platform supports the three most common Linux distributions.

» Differentiating your cloud services: As a service provider, you need a platform that’s scalable and secure enough to differentiate your services from those of competitors. You want your teams to focus on innovation and customer needs, not the underlying platforms.

http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

IBM LinuxONE For Dummies®, 2nd Limited Edition

Documents